fix: stop stable index clobber on BE publish + dearmor key in docs#3
Open
bpamiri wants to merge 1 commit into
Open
fix: stop stable index clobber on BE publish + dearmor key in docs#3bpamiri wants to merge 1 commit into
bpamiri wants to merge 1 commit into
Conversation
The stable apt index at apt.wheels.dev was being emptied on every
bleeding-edge publish. regenerate-apt-metadata.sh rebuilt BOTH channels
each run, but the workflow syncs only the dispatched channel's pool into
the runner — so a bleeding-edge run scanned an empty local pool/stable,
emitted an empty Packages, and the unscoped `find dists` upload overwrote
the good stable index on R2. Result: `apt install wheels` returned
"Unable to locate package wheels" even though wheels_4.0.2_amd64.deb was
present in the pool.
- regenerate-apt-metadata.sh now honors a CHANNELS env (default both, for
manual full-tree repair); the workflow passes the single dispatched
channel, so a run only rebuilds the dist whose pool it synced.
- The dists upload is scoped to dists/${CHANNEL}/ (defense-in-depth).
- The landing page (index.html) and README install snippets now pipe the
ASCII-armored key through `gpg --dearmor` before writing the keyring;
modern apt rejects an armored key in a signed-by= keyring.
Mirrors wheels-dev/wheels#2846 (the in-repo template). A one-off stable
re-publish is needed after merge to rebuild the now-empty index:
gh workflow run wheels-released.yml -f version=4.0.2 -f channel=stable
Fixes the install half of wheels-dev/wheels#2838.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Peter Amiri <peter@alurium.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the install-blocking half of wheels-dev/wheels#2838. This is the live counterpart to wheels-dev/wheels#2846 (which patches the in-repo template copy of these files).
Bug
apt install wheelsreturns "Unable to locate package wheels" even though the stable.debis in the pool — because the stablePackagesindex atapt.wheels.dev/dists/stable/main/binary-amd64/Packagesis 0 bytes:.debin poolPackagesindexwheels_4.0.2_amd64.deb(80 MB, HTTP 200)Root cause:
regenerate-apt-metadata.shloops over both channels every run, but the workflow only syncs/slots the dispatched channel's pool into the runner. On a bleeding-edge publish (which fires on everydevelopmerge) thestableiteration scans an empty localpool/stable/, emits an emptyPackages, and the upload step's unscopedfind dists -type fpushes it to R2 — clobbering the good stable index. The stableInReleaseis timestamped identically to the latest BE run and lists the empty-string hash forPackages, confirming this.Fix
regenerate-apt-metadata.shhonors aCHANNELSenv (defaults to both for manual full-tree repair); the workflow passes the single dispatched channel, so a run only rebuilds the dist whose pool it synced.dists/${CHANNEL}/(defense-in-depth).index.html) andREADME.mdinstall snippets pipe the ASCII-armored key throughsudo gpg --dearmorbefore writing/usr/share/keyrings/wheels.gpg— modernaptrejects an armored key in asigned-by=keyring.Verified with a stubbed-
apt-ftparchiveharness: the current script emits an emptydists/stable/Packageson a bleeding-edge run; withCHANNELS=bleeding-edgeit emits none and leaves the stable index untouched, while bleeding-edge still indexes correctly.After merge — rebuild the empty stable index
R2's stable index is already empty and won't self-heal. Trigger a one-off stable re-publish (uses the existing
.debin the pool):Then confirm
https://apt.wheels.dev/dists/stable/main/binary-amd64/Packagesis non-empty andsudo apt update && sudo apt install wheelsworks on a clean Debian/Ubuntu host.🤖 Generated with Claude Code